Exposing Iran's Mabna Hackers - An OSINT Analysis 


We've decided to take a deeper peek inside FBI’s Most Wanted Iran’s Mabna hackers group by 
utilizing our own proprietary methodology for monitoring and keeping track of bad actors 
including WhoisXML API's vast real-time and historical WHOIS database for the purpose of 
assusing U.S Law Enforcement and the security industry on its way to properly track down and 
monitor the cyber threat actor by sharing as much actionable intelligence as possible with the 
idea to make it easier for everyone to keep track of Iran’s Mabna hackers on their way to launch 
additional and related malicious and fraudulent online campaigns. 
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Sample personally identifiable email address accounts known to have been involved in 
the campaign include: 


top4invest.com@gmail.com 
mandana.sdf@gmail.com 
sadeghesmaili22@gmail.com 
user11563@talahost.net 
user22581 @talahost.net 
mariakerr45@hotmail.com 
user22846@accessdeny.net 
g77101I@163.com 


Related domains known to have been involved in the campaign include: 


ezplog.in 
librarylog.in 


1edu.in 

8t6i.xyz 
reaxyS.xyZ 
SCOPUS.XyZ 
Ihj1.xyz 
maghalehisi.com 
euce.in 
CUCEU.XYZ 
nelib.top 
ueedu.top 
eZprxy.xyZ 

libl.in 
weblogon.xyz 
libj.in 

@ZPrx.xyZ 
iranstandard.net 
liba.in 

lib1 .xyz 

lib2.xyz 
scopus.asia 

lib1 .bid 
ezpro.xyz 
kareshkhobe.com 
libproxy.xyZ 
libO.xyz 
ezproxy.top 
libdl.xyz 
systemreactivation.xyz 
bazarkhadamat.com 
kareshkhobeh.com 
insstandard.com 
libauth.space 
weblogin.site 
authn.website 
webauth.in 
market98.com 
kooolak.com 
elog.site 
webauth.xyz 
lib1.site 
webauthn.xyz 
itlib.xyz 
ezproxy.xyZ 
univ2.xyz 


ezauth.xyz 


Related personally identifiable email address accounts known to have been involved in 
the campaign include: 


nimaweb67@gmail.com 
user22581 @talahost.net 
mariakerr45@hotmail.com 
mr.sq3pd@gmail.com 
user22846@accessdeny.net 
g77101I@163.com 
insstandard.com@gmail.com 
top4invest.com@gmail.com 
mandana.sdf@gmail.com 
sadeghesmaili22@gmail.com 
user11563@talahost.net 


Related responding IPs known to have been involved in the campaign include: 


195.20.34.1 
195.20.54.125 
144.76.189.80 
162.210.101.115 
195.20.54.201 
185.55.227.104 
185.213.165.111 
185.2.14.207 
185.112.33.202 
185.51.200.110 
104.239.213.7 
195.186.210.241 
52.213.114.86 
151.106.5.172 
88.99.57.218 
158.69.11.211 
138.201.17.56 
103.241.3.91 
192.227.251.38 
5.157.86.5 
138.201.195.111 
167.114.103.215 
104.27.136.194 
35.205.61.67 
198.54.117.244 


195.20.55.57 
193.42.108.77 
104.31.95.116 
195.20.34.2 
94.23.26.138 
173.254.239.2 
216.239.34.21 
87.98.249.207 
23.239.97.219 
192.169.82.134 
46.4.91.26 
146.112.61.107 
176.31.33.116 
195.20.51.38 
104.152.168.8 
107.180.58.47 
99.83.178.7 
195.20.52.182 
172.64.89.192 
88.99.31.43 
172.64.91.76 
148.251.116.93 
104.18.44.145 
104.152.168.46 
172.247.79.221 
146.112.61.108 
23.195.69.108 
23.202.231.167 
195.20.41.59 
144.76.83.185 
109.201.140.32 
69.43.161.176 
206.189.140.10 
103.224.182.247 
195.20.52.49 
82.102.15.215 
185.27.134.125 
138.201.126.250 
149.56.24.81 
184.95.37.90 
195.20.49.43 
178.33.115.10 
195.20.51.122 
116.203.85.67 


178.63.53.55 
195.20.52.242 
195.20.50.106 
188.40.34.186 
198.105.254.111 
151.106.5.170 
141.8.224.221 
23.217.138.108 
195.20.52.224 
104.28.28.137 
195.186.208.193 
104.28.29.137 
79.175.181.11 
195.20.42.76 
198.91.81.5 
195.20.41.220 
195.20.49.176 
104.27.132.117 
46.105.100.56 
104.27.133.117 
195.20.44.121 
195.201.204.148 
45.76.211.20 


Related domains known to have been involved in the campaign include: 


iranstandard.net 
libauth.space 
tedu.in 
ebookprovider.org 
maghalehisi.com 
SCOPUS.XYyZ 

Ihj1.xyz 
bazarkhadamat.com 
kareshkhobeh.com 
8t6i.xyz 

reaxys.xyZ 
kareshkhobe.com 
ezpro.xyz 

libO.xyz 

libproxy.xyZ 

libd|.xyz 

ezproxy.top 
systemreactivation.xyz 


scopus.asia 
lib1 .bid 
nelib.top 

liba.in 
ueedu.top 

lib1 .xyz 
lib2.xyz 
euce.in 

libl.in 

ezplog.in 
CUCEU.XYZ 
libj.in 
librarylog.in 
fitstation.ir 
ealc.ir 

Qvn.ir 

emapp.ir 
proshopper.ir 
rioshop.ir 
ezauth.xyz 
mfun.ir 
eZprxy.xyZ 
geology4all.ir 
weblogon.xyz 
downloadzone.ir 
@ZPrx.xyZ 
tehranigap.ir 
elog.site 
saadihotel.com 
webauth.xyz 
market98. ir 
webauthn.xyz 
writeme. ir 
ezproxy.xyZ 
ipassword.ir 
webauth.in 
pooyadehghani..ir 
engpaper.ir 
avamix.ir 
virastnegar.com 
insstandard.com 
standardfa.ir 
weblogin.site 
virastnegar.ir 


authn.website 
ezlog.in 

mrfi.ir 
market98.com 
arkadp.com 
univ2.xyz 
7kharid.org 
shadtarinha.com 
partomarket.com 
kooolak.com 
lib1.site 
nasimmarket.com 
itlib.xyz 
parmisbuy.com 


Related domains known to have been involved in the campaign include: 


libproxy.xyz 
eeny.info 
emay.info 
nelib.top 
insstandard.com 
saadihotel.com 
ehyz.info 
reaxys.xyZ 
ento.info 

emxa. infor 


Related responding IPs known to have been involved in the campaign include: 


185.51.200.110 
88.99.107.78 
144.76.189.80 
104.239.198.84 
185.213.165.111 
185.112.33.202 
205.164.14.90 
104.239.213.7 
85.158.203.190 
5.144.130.39 
209.99.40.225 
23.195.69.112 
188.40.38.253 
35.205.61.67 


209.99.40.222 
88.99.4.182 
138.201.195.111 
222.137.145.62 
44.227.76.166 
209.200.154.54 
35.186.238.101 
172.67.210.241 
185.233.43.13 
188.225.85.151 
91.195.240.117 
88.135.39.38 
64.79.70.35 
88.135.39.137 
136.243.59.114 
172.67.136.88 
146.112.61.107 
23.239.97.219 
184.107.80.5 
5.56.132.237 
185.81.96.5 
88.99.139.8 
162.241.225.99 
23.217.138.108 
5.196.199.238 
209.99.40.221 
78.47.121.14 
74.119.239.234 
95.216.7.174 
185.105.184.90 
185.81.96.82 
213.239.206.208 
50.87.253.239 
51.195.38.225 
3.133.163.136 
88.99.160.210 
18.188.61.33 
148.251.194.253 
198.57.247.137 
13.58.168.69 
218.93.250.18 
198.105.254.111 
13.59.53.244 
185.50.39.142 


52.15.160.167 
136.243.145.232 
138.201.147.133 
216.158.77.118 
151.80.120.240 
164.132.138.90 
44.227.65.245 
198.105.244.11 
149.202.28.106 
104.18.56.93 
31.192.228.197 
151.106.5.172 
88.99.57.218 
208.88.226.229 
151.106.5.170 
216.158.80.57 
94.232.175.92 
104.27.162.103 
118.169.224.5 
185.205.210.23 
104.27.163.103 
88.99.75.125 
23.49.56.181 
104.130.124.96 
176.9.168.250 
141.8.226.19 
148.251.141.198 
104.200.18.162 
192.230.92.93 
51.75.99.145 
148.251.57.186 
46.4.41.213 
46.105.169.49 
158.58.184.213 
151.80.161.196 
176.31.33.118 
81.12.39.200 
198.54.117.244 
176.31.33.116 
192.155.108.151 
192.155.108.158 
31.3.253.200 
5.144.133.146 
85.159.233.63 


36.86.63.182 
138.201.17.56 
154.93.239.79 
158.69.11.211 
154.219.134.74 
136.243.166.78 
88.99.69.4 
198.105.254.74 
87.98.249.207 
195.201.13.226 
46.4.91.26 
146.112.61.108 
79.127.127.68 
148.251.116.93 
99.83.153.108 
195.154.102.75 
88.99.31.43 
99.83.154.118 
3.128.220.50 
75.2.26.18 
3.64.163.50 
185.55.227.104 
185.2.14.207 
52.213.114.86 
136.243.153.162 
195.186.210.241 
64.98.145.30 
173.45.97.84 
95.216.33.194 
5.157.86.5 
52.19.197.101 
67.225.218.50 
23.217.138.112 
138.201.126.250 
79.175.181.11 
150.95.52.89 
176.9.137.39 
82.102.15.215 
192.64.147.238 
150.95.255.38 
192.64.147.150 
158.69.187.205 
86.111.242.221 
18.130.191.149 


91.195.240.126 
176.9.141.147 
108.186.175.41 
88.150.182.5 
107.161.23.204 
82.102.10.154 
207.246.127.171 
66.18.192.241 


We'll continue monitoring the campaign and we'll post updates as soon as new developments 
take place. 


